It's news, of course, when a security vendor reports that a Russian cyber gang has allegedly amassed 1.2 billion credentials, harvested from 4.5 billion stolen records (see: 5 Facts About CyberVor Report).
But Derek Manky, senior security strategist at security services vendor Fortinet, says we see large-scale password breaches routinely.
"These data breaches, whether we hear about them or not, are happening on a pretty regular basis," Manky says. "We've seen data breaches in the past in the millions and millions of passwords leaked and stolen."
Which raises the question: Why do we still make our security controls so reliant on simple user names and passwords?
"I know it's not, because we have to use it, but I truly believe the password is dead," Manky says. "There are so many different ways to get people's passwords - phishing, social engineering ... keylogging and botnets ..."
And even if stored passwords are encrypted, sophisticated tools and services can decrypt that information - for a price.
In an interview recorded at Black Hat USA in Las Vegas, Manky discusses:
- Why the password is dead;
- Insights into the underground economy;
- More secure approaches to user authentication.
Manky formulates security strategy based on years of threat and industry knowledge, with a goal to make a positive impact towards the global war on cyber crime. He has presented research and strategy world-wide at many security conferences, including meetings with leading political figures and key stakeholders who help define the future of cyber security. He works globally within the security industry and Computer Emergency Response Team (CERT) to connect the dots, providing mitigation advice and threat forecasts based on correlated data and personal knowledge. This strategy can be integrated into new, advanced technology to fight cyber attacks.